⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | |
| Support Tier | |
| Solution Folder | SAP |
This solution provides 1 data connector(s):
This solution uses 2 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
ABAPAuditLog_CL |
Microsoft Sentinel for SAP | - |
ABAPChangeDocsLog_CL |
Microsoft Sentinel for SAP | - |
This solution includes 3 content item(s) (0 in solution, 3 discovered 🔍):
| Content Type | Total | In Solution | Discovered |
|---|---|---|---|
| Playbooks | 3 | 0 | 3 |
| Name | Description | Tables Used |
|---|---|---|
| SAP - Lock User (Agentless Basic) ⚠️ | This playbook locks an SAP user when triggered by a Microsoft Sentinel incident. It dynamically find... | - |
| workflow ⚠️ | < 🏡home | - |
| workflow ⚠️ | < 🏡home | - |
⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.
📄 Source: SAP/README.md
Please visit: https://docs.microsoft.com/azure/sentinel/sap-deploy-solution
See our playbooks built on Logic Apps (Standard) here.
Agentless solution release notes can be found in the Agentless README file.
| Date issued | Version Number | Content |
|---|---|---|
| 28/06/23 | 2.0.74 | SAP Audit Control Workbook |
| 18/09/23 | 2.0.76 | SAP Audit Control Workbook Reflect alerts in addition to incidents Added visualizations for better monitoring Focus on SAP alerts by default Exclude users using wildcards- The SAPUsersGetVIP function now supports excluding users using wildcards. For examples, can exclude all firefighters using FF*. The “SAP - Security Audit Log Configuration Change” logic was modified so it will not alert on dummy changes that surface after system restart |
| 01/01/2024 | 3.0.1 | Content migrated to a content hub V3 protocol- to overcome the error of “Creating the resource of type Microsoft.Resources/templateSpecs would exceed the quota of ‘800’ resources of type Microsoft.Resources/templateSpecs per resource group” |
| 02/02/2024 | 3.0.3 | Updated and improved logic for these alert rules: SAP - Execution of an Obsolete or an Insecure Function Module SAP - Multiple Password Changes SAP - Assignment of a sensitive role SAP - Sensitive User's Password Change and Log in SAP - Login from unexpected network SAP - Sensitive privileged user makes a change in another user Updated parsers: SAPChangeDocsLog- support for blank workspaces, added SystemGuid SAPJAVAFilesLogs- switch to SAPControl file-based logs SAPSpoolLog, SAPSpoolOutputLog- handle different SpoolRequestNumber formats in different SAP releases SAPTableDataLog- handle SidGuid, UpdatedOn fields SAPUsersAssignments- inffer user master data changes in near realtime SAPUsersGetPrivileged- allow SAP AS JAVA systems support |
| 06/03/2024 | 3.1.0 | New JAVA AS alert rules SAP - (Preview) AS JAVA - Sensitive Privileged User Signed In SAP - (Preview) AS JAVA - Sign-In from Unexpected Network SAP - (Preview) AS JAVA - User Creates and Uses New User SAP - Execution of an Obsolete or an Insecure Function Module- improved logic |
| 15/04/2024 | 3.1.4 | Bug fixes |
| 25/04/2024 | 3.1.5 | Fixes SAPCONTROL_CL error when using cross workspace feature |
| 16/06/2024 | 3.1.7 | Improved and simplified logic for 4 alert rules: SAP Data has Changed During Debugging Activity SAP Execution of Sensitive Function Module SAP Function module tested SAP Multiple Logons by IP. Fixed bugs in parsers: SAPCRLog, SAPGetSystemParameter. Added additionalData column to "SAP - Systems" watchlist |
| 11/07/2024 | 3.1.13 | Handle the "Unknown function" error on queries using multiple parsers. Disable incident creation for low severity data collection health alerts. Excluded SAPJAVAFilesLogs from being queried in SAPSystems and SAPUsers* parsers by default. Updated "Audit Controls" workbook to support solution versions 3.X. Updated workbooks to default to local workspace even when workspace is a fresh one. |
| 12/02/2024 | 3.2.02 | Added two new detections: SAP - (Preview) Dormant users detected, SAP - (Preview) Developer key assigned in a production system (Preview). Switched SAPAuditLog to be based on standard table ABAPAuditLog. Added support for SAP version 7.31 through 7.4 to reflect dialog users IP address using TableDataLog (DBTABLOG). Enable table logging for SAP table USR41 to enable this feature |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊